packages/python-ldap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!31 [sync] PR-28: fix CVE-2021-46823

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @compile_success 
Signed-off-by: @compile_success
This commit is contained in:
openeuler-ci-bot 2022-07-27 07:08:21 +00:00 committed by Gitee
commit cc4f3bcd3f
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 104 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
backport-0001-CVE-2021-46823.patch Normal file
View File

@ -0,0 +1,74 @@
From 7e084aec1ba9ced25b44fd3db77e65242a827806 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Wed, 6 May 2020 15:48:46 +0100
Subject: [PATCH] Get rid of expected failures in tokenizer tests
https://github.com/python-ldap/python-ldap/pull/283
---
Lib/ldap/schema/tokenizer.py | 10 +++++++---
Tests/t_ldap_schema_tokenizer.py | 6 ++----
2 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/Lib/ldap/schema/tokenizer.py b/Lib/ldap/schema/tokenizer.py
index 20958c09..69823f2b 100644
--- a/Lib/ldap/schema/tokenizer.py
+++ b/Lib/ldap/schema/tokenizer.py
@@ -13,12 +13,16 @@
r"|" # or
r"([^'$()\s]+)" # string of length >= 1 without '$() or whitespace
r"|" # or
- r"('.*?'(?!\w))" # any string or empty string surrounded by single quotes
- # except if right quote is succeeded by alphanumeric char
+ r"('(?:[^'\\]|\\\\|\\.)*?'(?!\w))"
+ # any string or empty string surrounded by unescaped
+ # single quotes except if right quote is succeeded by
+ # alphanumeric char
r"|" # or
r"([^\s]+?)", # residue, all non-whitespace strings
).findall
+UNESCAPE_PATTERN = re.compile(r"\\(.)")
+
def split_tokens(s):
"""
@@ -30,7 +34,7 @@ def split_tokens(s):
if unquoted:
parts.append(unquoted)
elif quoted:
- parts.append(quoted[1:-1])
+ parts.append(UNESCAPE_PATTERN.sub(r'\1', quoted[1:-1]))
elif opar:
parens += 1
parts.append(opar)
diff --git a/Tests/t_ldap_schema_tokenizer.py b/Tests/t_ldap_schema_tokenizer.py
index c8581771..0890379a 100644
--- a/Tests/t_ldap_schema_tokenizer.py
+++ b/Tests/t_ldap_schema_tokenizer.py
@@ -44,8 +44,8 @@
# broken schema of Oracle Internet Directory
TESTCASES_BROKEN_OID = (
- ("BLUBB DI 'BLU B B ER'MUST 'BLAH' ", ['BLUBB', 'DI', 'BLU B B ER', 'MUST', 'BLAH']),
- ("BLUBBER DI 'BLU'BB ER' DA 'BLAH' ", ["BLUBBER", "DI", "BLU'BB ER", "DA", "BLAH"]),
+ "BLUBB DI 'BLU B B ER'MUST 'BLAH' ", #['BLUBB', 'DI', 'BLU B B ER', 'MUST', 'BLAH']
+ "BLUBBER DI 'BLU'BB ER' DA 'BLAH' ", #["BLUBBER", "DI", "BLU'BB ER", "DA", "BLAH"]
)
# for quoted single quotes inside string values
@@ -104,14 +104,12 @@ def test_utf8(self):
"""
self._run_split_tokens_tests(TESTCASES_UTF8)
- @unittest.expectedFailure
def test_broken_oid(self):
"""
run test cases specified in constant TESTCASES_BROKEN_OID
"""
self._run_failure_tests(TESTCASES_BROKEN_OID)
- @unittest.expectedFailure
def test_escaped_quotes(self):
"""
run test cases specified in constant TESTCASES_ESCAPED_QUOTES

22
backport-0002-CVE-2021-46823.patch Normal file
View File

@ -0,0 +1,22 @@
From faa011b41f7141121546045925d809d54e70f5fd Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Fri, 15 Oct 2021 15:21:37 +0100
Subject: [PATCH] Fix ReDoS in regex.
---
Lib/ldap/schema/tokenizer.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Lib/ldap/schema/tokenizer.py b/Lib/ldap/schema/tokenizer.py
index 69823f2b..623b86d5 100644
--- a/Lib/ldap/schema/tokenizer.py
+++ b/Lib/ldap/schema/tokenizer.py
@@ -13,7 +13,7 @@
r"|" # or
r"([^'$()\s]+)" # string of length >= 1 without '$() or whitespace
r"|" # or
- r"('(?:[^'\\]|\\\\|\\.)*?'(?!\w))"
+ r"('(?:[^'\\]|\\.)*'(?!\w))"
# any string or empty string surrounded by unescaped
# single quotes except if right quote is succeeded by
# alphanumeric char

10
python-ldap.spec
View File

@ -1,12 +1,15 @@
%define debug_package %{nil} %define debug_package %{nil}
Name: python-ldap Name: python-ldap
Version: 3.1.0 Version: 3.1.0
Release: 3 Release: 4
Summary: An object-oriented API to access LDAP directory servers Summary: An object-oriented API to access LDAP directory servers
License: Python License: Python
URL: http://python-ldap.org/ URL: http://python-ldap.org/
Source0: https://files.pythonhosted.org/packages/source/p/%{name}/%{name}-%{version}.tar.gz Source0: https://files.pythonhosted.org/packages/source/p/%{name}/%{name}-%{version}.tar.gz
Patch0: backport-0001-CVE-2021-46823.patch
Patch1: backport-0002-CVE-2021-46823.patch
BuildRequires: gcc openldap-devel openssl-devel cyrus-sasl-devel BuildRequires: gcc openldap-devel openssl-devel cyrus-sasl-devel
BuildRequires: python3-devel python3-setuptools openldap-servers BuildRequires: python3-devel python3-setuptools openldap-servers
@ -35,7 +38,7 @@ OpenLDAP 2.x libraries, and contains modules for other LDAP-related tasks\
%package_help %package_help
%prep %prep
%autosetup -n %{name}-%{version} %autosetup -p1 -n %{name}-%{version}
find . -name '*.py' | xargs sed -i '1s|^#!/usr/bin/env python|#!%{__python3}|' find . -name '*.py' | xargs sed -i '1s|^#!/usr/bin/env python|#!%{__python3}|'
sed -i 's,-Werror,-Wignore,g' tox.ini sed -i 's,-Werror,-Wignore,g' tox.ini
%build %build
@ -56,6 +59,9 @@ sed -i 's,-Werror,-Wignore,g' tox.ini
%doc CHANGES README TODO Demo %doc CHANGES README TODO Demo
%changelog %changelog
* Tue Jul 26 2022 zhouwenpei<zhouwenpei1@h-partners.com> - 3.1.0-4
- fix CVE-2021-46823
* Wed Oct 14 2020 shixuantong<shixuantong@huawei.com> - 3.1.0-3 * Wed Oct 14 2020 shixuantong<shixuantong@huawei.com> - 3.1.0-3
- delete useless buildrequires - delete useless buildrequires